Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 811156 (CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263) - <sys-fs/ntfs3g-2021.8.22: Multiple vulnerabilities
Summary: <sys-fs/ntfs3g-2021.8.22: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [stable]
Keywords:
Depends on: 818703
Blocks:
  Show dependency tree
 
Reported: 2021-08-30 19:41 UTC by Sam James
Modified: 2021-10-17 15:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-08-30 19:41:03 UTC
From https://www.openwall.com/lists/oss-security/2021/08/30/1:

```
Security vulnerabilities were identified in the open source NTFS-3G and NTFSPROGS software. These vulnerabilities were confirmed and resolved. To our knowledge, these vulnerabilities have not been exploited.

These vulnerabilities may allow an attacker using a maliciously crafted NTFS-formatted image file or external storage to potentially execute arbitrary privileged code, if the attacker has either local access and the ntfs-3g binary is setuid root, or if the attacker has physical access to an external port to a computer which is configured to run the ntfs-3g binary or one of the ntfsprogs tools when the external storage is plugged into the computer. These vulnerabilities result from incorrect validation of some of the NTFS metadata that could potentially cause buffer overflows, which could be exploited by an attacker. Common ways for attackers to gain physical access to a machine is through social engineering or an evil maid attack on an unattended computer.

We recommend installing and applying the update with the security fixes, and advise to follow security guidance and frameworks such as NIST for assessing and improving an organization’s abilities to prevent, detect, and respond to security threats and cyber attacks.

AFFECTED PRODUCTS: All previous versions of open source NTFS-3G and NTFSPROGS.

WORKAROUND: None

SOLUTION: Upgrade to 2021.8.22

PROJECT URL: https://github.com/tuxera/ntfs-3g

ADVISORY ID: NTFS3G-SA-2021-0001

ISSUE DATE: 2021-08-30

SEVERITY: Moderate

CVEs: CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289, CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263

CVSS SCORE: 3.9-6.7

ACKNOWLEDGMENT: Jeremy Galindo, Akshay Ajayan, Kyle Zeng and Fish Wang for reporting these vulnerabilities.
```
Comment 1 Sam James archtester gentoo-dev Security 2021-08-30 19:41:39 UTC
Please bump to 2021.8.22.
Comment 2 Larry the Git Cow gentoo-dev 2021-08-31 08:19:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf72416b29d1fc39f978044b7da63d909d90bd24

commit cf72416b29d1fc39f978044b7da63d909d90bd24
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-08-31 08:18:56 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-08-31 08:19:19 +0000

    sys-fs/ntfs3g: Security bump to version 2021.8.22
    
    Bug: https://bugs.gentoo.org/811156
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-fs/ntfs3g/Manifest                |  1 +
 sys-fs/ntfs3g/ntfs3g-2021.8.22.ebuild | 82 +++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+)